There are a number of different types of privileged accounts in Active Directory and Azure AD / Office 365 that have administrative access to one or more systems.
- Active Directory: Accounts added to administrative security groups, such as domain administrators, administrators, or enterprise administrators, among others. They can log in to servers locally and remotely, with unrestricted access to the entire company network of servers and workstations. Hacking these accounts is a prime target for malware, phishing, and ransomware attacks.
- Microsoft 365 / Entra ID (formerly Azure AD): Accounts added to pre-defined administrative security groups, such as global admin, privileged authentication administrators, or password administrators. These accounts are used to set up, configure, and manage access to resources hosted in Entra ID and Microsoft 365. Compromising these accounts is a key target for hackers, as they open the door for phishing campaigns that can spread malware via compromised user mailboxes as a pre-cursor to ransomware attacks.
- Local Administrator Accounts: Accounts with local administrative access to domain-joined servers or member servers, standalone servers not joined to an Active Directory, domain-joined workstations, or workstations not joined to Active Directory. These accounts only have privileged access on the system they reside on. It is common for MSPs and IT departments to use local administrator accounts as a backdoor to a member server or PC if their access to the Active Directory domain is not available or has issues. Using the same password for all local administrator accounts poses a security risk, as the password can easily be guessed and remains static for years, making it a prime target for hackers.
- Service Accounts:Active Directory or local accounts used to authenticate a Windows Service that runs an application, database, or system tool. These accounts often have administrative access to Active Directory or the local system to provide the required access for the application they are configured to run. Since the Windows service depends on these accounts, their passwords cannot simply be reset without taking extra steps to ensure the Windows service with the new password.
- Scheduled Task Accounts: All Windows servers and workstations have a task scheduler used to run scripts or updates at a set time or interval. Accounts used to authenticate scheduled tasks can often have administrative access to the local system or all systems on the corporate network. Similar to service accounts, passwords configured in a scheduled task must also be updated after they are reset.
